lobos
asked on
ASP and SQL
It's with regards to the ASP, and session vairables.
I am doing a Web site where it's security enforced.It's similiar in the project you assigned us. A user logs in and from that login we determine was information they are allowed to see and what they can access. So reference to the login variable is gonna be needed all throughout
the pages. So session variables are the way to go right? But session variables don't last long...(default is 20) I am gonna need it for more than that and well all I have to do is set the timeout for the session to be a larger number. That will do it won't it? Pretty sure it will
providing the timeout period is longer right? I would be able to talk to different pages within a frameset and the session variable would still be alive right? Is this my best approach or is there a better option.
Thanks for any HELP.
I am doing a Web site where it's security enforced.It's similiar in the project you assigned us. A user logs in and from that login we determine was information they are allowed to see and what they can access. So reference to the login variable is gonna be needed all throughout
the pages. So session variables are the way to go right? But session variables don't last long...(default is 20) I am gonna need it for more than that and well all I have to do is set the timeout for the session to be a larger number. That will do it won't it? Pretty sure it will
providing the timeout period is longer right? I would be able to talk to different pages within a frameset and the session variable would still be alive right? Is this my best approach or is there a better option.
Thanks for any HELP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sessionvariables are bound to cookies, so the browser has to accept cookies. I am not sure how "hack-resistant" cookies are, so if your information is very sensitive, you might want to use another solution then session-variables (for example NT-security, you can ask for login-name with ASP).
About this "hacking": I have never really tried to do it. But I noticed that ASP-cookies have a code that is given out in a certain order to new visitors. So if visitor A gets cookie "ASP-4565421" visitor be would get "ASP-4565422". Someone could try to change the value of the cookie in his browser and get the security of another user.
Maybe it is possible to make the ASP-cookies be more random, I haven't looked for it. I solve possible security stuff through NT-security and use cookies (and sessionvariables) only for non-sensitive things.